Categories

Forum Search

Search terms:

TopicsCommentsUsers

The Intervals Forum is Closed.This forum has been replaced with a help section located at help.myintervals.com.
We recommend checking the help section, as the forums are no longer being updated. If you have any questions, please don't hesitate to contact our support team.

Using the API with large numbers of executive users

We're looking at integrating Intervals with our existing admin site using the API. We already have a list of users in our admin site, and many of these are set up as executive users in Intervals (we're happy to keep maintaining two lists).

We want each admin site user to access their corresponding Intervals user account, but the only way we can see to do this is to send them to the api page and get them to copy-paste the api token. That's fine for some users, but this work would be for those clients who struggle using Intervals anyway (and computers in general).

Part of the reason we decided to go with tokens as an authentication mechanism was specifically to try to strike a balance between security and usability. Ultimately, we wanted to discourage developers from storing people's usernames and passwords in their applications. Rather, we wanted a system that would allow a user simple control over API access that was separate from his normal Intervals authentication. And we wanted to make sure that Intervals users were fully aware that they were allowing another application to access their Intervals data by granting them this token.

Now, we understand there's nothing preventing an application developer from prompting a user for his/her username and password, navigating to the API token page in the background, and retrieving the token from there (or even creating one if it does not exist). Though we discourage this practice, it may be an end run solution for your company's purposes.

Some stricter forms of authentication (3rd-party authentication like OAuth, used by Facebook) force users to log in to the user's account on the source site through a web browser, enter their credentials, and specifically grant access to the app requesting it (before returning to the application). While more secure, they have many more steps and are much more cumbersome. If your users are familiar with that process (if they have Facebook accounts, they probably are), you can perhaps automatically direct them to the API token page (https://{YOUR_DOMAIN}/account/api/). If they are not logged in, they can enter their credentials and will be directed to the proper page afterward.

OAuth does have several steps, but it works quite well by presenting the user one question at a time and then forwarding them onto the next question (which Intervals wouldn't).

I think I'll probably add an iframe with the API token page to our site, that way I can provide my own instructions around the iframe. Not really keen on it as a solution, but more for philosophical reasons than practical ones (teaching users to enter their password for one site into another site).